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Abstract —Since the advent of software defined networks 
(SDN), there have been many attempts to outsource the complex 
and costly local network functionality, i.e. the middlebox, to 
the cloud in the same way as outsourcing computation and 
storage. The privacy issues, however, may thwart the enterprises’ 
willingness to adopt this innovation since the underlying config¬ 
urations of these middleboxes may leak crucial and confidential 
information which can be utilized by attackers. To address this 
new problem, we use firewall as an sample functionality and 
propose the first privacy preserving outsourcing framework and 
schemes in SDN. The basic technique that we exploit is a ground¬ 
breaking tool in cryptography, the cryptographic multilinear map. 
In contrast to the infeasibility in efficiency if a naive approach 
is adopted, we devise practical schemes that can outsource the 
middlebox as a blackbox after obfuscating it such that the 
cloud provider can efficiently perform the same functionality 
without knowing its underlying private configurations. Both 
theoretical analysis and experiments on real-world firewall rules 
demonstrate that our schemes are secure, accurate, and practical. 

I. Introduction 

Although network functionalities play an important role 
in enterprise network to make it robust, fast, and secure, 
they often burden a company with great hardware financial 
pressure and management complexity. Network middleboxes, 
such as firewalls and intrusion detection systems (IDS), are 
the customized appliances to implement these sophisticated 
functionalities, and they are also often hard to deploy and 
upgrade. A recent survey (T) reveals that the investments in 
network infrastructures deployment of these middleboxes as 
well as in the personnel cost of managing and maintaining 
them are substantial. 

The emergence of SDN helps us separate the logic control 
from the basic traffic processing, so we can relieve some of the 
above “pain points” to a certain extent by taking the advantage 
of SDN EMU. But though the management of networks can 
be simplified by SDN, it still has many shortcomings. For 
instance, because these functionalities are still implemented 
within the enterprise network, the hardware cost and the 
everyday maintenance cost are still there. 

Thus, to further reduce the cost and complexity faced by 
local networks, some SDN researchers have attempted to 
outsource these network functionalities or middleboxes out to 
cloud providers, in the same way that the computation and 
storage services have been successfully outsourced ID, 0. Af¬ 
ter migrating middleboxes to cloud, the local enterprises will 


receive better services with less expenditure and management 
complexity since the cloud provider can deploy more advanced 
hardware and hire professional experts to offer better network 
functionality services by taking advantage of economies of 
scale. Moreover, the local enterprise can also have a clearer 
and more elastic network infrastructure. 

However, the outsourcing of local SDN middleboxes may 
bring in serious privacy issues ID- Because at present, an 
enterprise has to provide the detailed underlying configurations 
of these middleboxes, which may embody very sensitive and 
important enterprise secrets, when outsourcing middleboxes. 
For example, the configurations of firewalls or IDS may reveal 
what the enterprise network topology looks like and how 
different sectors within an enterprise are regulated. These 
policies or configurations are set and known by a restricted 
few administrators even before outsourcing. Were these con¬ 
fidential pieces of information hidden in these polices to be 
exposed to adversaries, they may be utilized to impose a great 
threat to the enterprise Q. 

In brief, the new challenges in this scenario now we face 
are: 1) we need to protect the private information hidden in the 
configurations of these outsourced middleboxes; 2) we need to 
allow the cloud provider to perform the network functionalities 
without mistakes ( or with acceptable errors). Note that in line 
with existing outsourcing architecture in SDN ID, 0, 0, we 
assume that the cloud provider for an enterprise is its Internet 
Service Providers (ISP), so we will not consider the protection 
of the packet flows of the enterprise here. 

In this paper, we try to address these challenges by de¬ 
signing a privacy preserving scheme for network middlebox 
outsourcing in SDN, exploiting a cryptographic multilinear 
map, a powerful cryptographic tool that was recently invented 
EHUD. To keep things concrete, in this paper we will take 
firewalls, a typical and indispensable network middlebox, as a 
case study. 

The main idea of our scheme is to use cryptographic 
multilinear map to obfuscate the rules in a firewall efficiently 
such that the original configurations are protected while their 
functionality is preserved. The theoretical foundation of our 
idea is cryptographic program obfuscation IH, Q3- In our 
work, we first present framework SOFA (Secure framework 
for Outsourcing FirewAll). This framework consists of two 
phases. First, the controller in the enterprise SDN constructs 
a cryptographic obfuscator for the firewall based on its 
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rules. This obfuscator encodes the firewall rules such that 
the underlying confidential information cannot be derived. 
Then this enterprise transmits this obfuscated firewall to a 
provider. In the second phase, the cloud provider performs 
the firewall functionality by filtering incoming and outgoing 
network traffics with this obfuscated firewall without knowing 
the detailed configurations. Based on this overall framework, 
a basic scheme and two enhanced schemes are proposed to 
address the detailed technical issues. 

To summarize, we have made three main contributions in 
our work: 

• To the best of our knowledge, we are the first to deal 
with the privacy problem about network functionality 
outsourcing (NFO) in SDN. The obfuscation approach 
we propose has a solid theoretical foundation. And frame¬ 
work SOFA is compatible with existing SDN outsourcing 
architecture, such as APLOMB JT). 

• To outsource firewalls as a concrete example, we propose 
a basic scheme which is efficient in the first phase, 
and two enhanced schemes which can further improve 
the efficiency in the second phase. We also analyse the 
complexity and security of our algorithms to show that 
they are efficient, secure, and reliable. 

• We implement a prototype of our schemes, and evaluate 
its performance on real-world firewall rules, the results 
show that our proposed schemes are practical. 

Our paper are organized as follows. First, we review some 
related work in section QT] In section [HI] we give formal 
definition to the privacy issues in network functionality out¬ 
sourcing and introduce some basic cryptographic backgrounds. 
In section HY1 we present framework SOFA and a basic 
scheme. Some approaches which can boost its efficiency are 
discussed in [V] The security of these algorithms is analysed in 
section[vT] Evaluation of SOFA with firewall rules is presented 
in section 1 VIII Finally, in section IVIIII we conclude our work 
and discuss some potential future research directions. 

II. Related Works 

In this section, we review some recent works on outsourcing 
frameworks in SDN, some privacy-preserving outsourcing 
techniques in cloud computing or traditional enterprise net¬ 
works. We can see that no existing work can effectively 
address the novel challenges we have proposed. 

A. Outsourcing network functionality in SDN 

There has already been much research done about the 
outsourcing of network middleboxes services exploiting the 
advantage of SDN (TJ, |6], (8], fl4l , fl5l . Sherry et al. (T) 
design and implement a prototype of APLOMB architecture, 
by which the middlebox processing within enterprises can be 
outsourced to clouds. This architecture is mainly intended to 
deal with the problem of how to redirect the traffic to/from 
the enterprise SDN to the cloud without greatly damaging 
performance. It is compatible with many specific middleboxes, 
such as firewalls. Gibb et al. {6j also envision outsourcing 
these network functionalities to external Feature Providers. 
The main goal of their work is to provide anyone with chances 


to be a network service provider without any limitation on 
location. Cloud-Assisted Routing ID is another scheme aimed 
at offloading the local computation-intensive and memory¬ 
intensive operations in the routing functionality to the cloud. 

There is only a little current research concerning the privacy 
and security problem of outsourcing network functionality in 
SDN. Fayazbakhsh et al. M mainly discuss the roadmap 
to construct a verifiable NFO architecture that can verify the 
correctness on intended functionality, performance assurance 
and can audit the actual workload in the cloud. 

However, none of the these works about outsourcing in SDN 
can address the privacy challenges we have stated. 

B. Privacy Preserving outsourcing in Cloud Computing 

In literature, many schemes are designed to tackle the 
privacy problem of outsourcing data storage and computation 
rather than the network middlebox G3, tm. However, be¬ 
cause the network functionality is often performed on real¬ 
time packet traffics in the cloud, its requirement is different. 
For example, the well-known public auditing framework DU 
introduces a third party auditor to help cloud users check the 
integrity of their outsourced data. However, in this framework 
the user files are sent to the cloud directly without encryption, 
so it will not be applicable to network middlebox outsourcing. 
So these existing approaches for cloud computing or storage 
are incapable of addressing this new problem. 

Khakpour and Liu 0 present Landon, a framework to 
address the problem of how to protect the firewall policies 
when it is outsourced to a cloud provider in traditional 
enterprise networks. The main idea of this framework is to 
convert the raw access control lists to an equivalent Firewall 
Decision Diagram (FDD) and then to anonymize the FDD 
with Bloom Filters. This framework works well after some 
complex optimization methods are used. The limitation of this 
framework is that it is based on a specific presentation (FDD) 
of firewall and the Bloom Filter is not very secure and has 
some drawbacks GO- 

C. Related Cryptographical Research 

In cryptography, there is also some theoretical work dealing 
with similar problems, such as methods based on Yao’s 
garbled circuits for secure multi-party computation ||20j. In 
particular, recently Brakerski and Rothblum 0 propose an 
elegant construction for obfuscating conjunctions based on an 
asymmetric multilinear map. This is the fundamental cryp¬ 
tographic tool we will use in this paper. But their work 
focuses on the theoretical construction and security proof 
of obfuscating a single conjunction. So their result, though 
significant in theory, will be impractical in practice in directly 
obfuscating numerous firewall rules. We will discuss this 
problem at length in section HVl 

III. Problem formulation and Preliminaries 

In this section, we formulate the privacy problems of NFO 
in SDN. To this end, we first review the overall architecture for 
outsourcing network functionality, and give its threat model. 
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TABLE I: Firewall Rule Examples 


rule 

Source 

Destination 

Protocol 

Action 

# 

ip 

Port 

ip 

Port 

i 

192.168.45.* 

* 

* 

* 

* 

deny 

2 

10.*.*.* 

* 

192.168.4.* 

80 

TCP 

permit 

3 

10.56.*.* 

* 

192.168.*.* 

[22,88] 

TCP 

permit 

4 

114.212.190.* 

8000 

* 

8090 

UDP 

deny 


Specifically, we give a definition for privacy preserving out¬ 
sourcing firewalls. In addition, we also recall some important 
cryptographic backgrounds about multilinear map. 

A. System Model 

The overall architecture for outsourcing network functional¬ 
ity to cloud has been proposed, such as APLOMB JT] and Jin¬ 
gling 0. In such architecture, enterprise administrators spec¬ 
ify the policies of middleboxes with its local SDN controller in 
a simple way. Then by the communication mechanism between 
the enterprise clients and the cloud provider, these policies are 
transmitted to the cloud controller and service requirements 
are also negotiated. The controller in cloud SDN then trans¬ 
late these policies into low-level network configurations for 
middleboxes, and then manage the cloud network resources 
to carry out the tasks. The traffic redirection of the enterprise 
network flows is also managed by this architecture. We will 
focus on the privacy protection of middlebox configurations 
in the above related procedures. 

B. Threat Model 

We assume that the cloud middlebox provider is semi-honest 
since in the outsourcing system model, the cloud providers 
are commonly the ISPs for enterprises. Because the provider 
performs network tasks on packet traffics of the enterprise, 
it will be able to observe the input packets and the output 
actions of them. So the semi-honest provider may be curious 
to learn information from these input-output histories. But the 
provider should not actively generate tremendous packets to 
attack the outsourced middlebox MB' for such an attack will 
affect the service quality it provides. So the two main threats 
we consider are the analysis of the outsourced MB' itself, and 
the analysis of its running input-output history. 

C. Problem Definition 

Different middleboxes have their own characteristic in de¬ 
tailed configurations, thus in the following we focus on the 
firewall as an example. The configuration of a typical IP 
firewall / is an ordered sequence of rules, and they are usually 
presented in the format of access control lists (ACLs). Some 
examples are shown in Table [Q Technically, the rules can be 
classified as two types: standard ACLs and extended ACLs. 
The standard rules only allow you to deny or permit packets 
by specifying the source IP addresses, like the first one in 
Table |T| Extended rules also allow you to specify the protocol 
type, the destination address and the port ranges, like the other 
examples in table |T] Once the configuration are settled, the 


firewall can perform packet filtering based on these rules to 
protect an enterprise network. 

The rules of the firewall are what we need to protect since 
they may reveal, for example, much information of the enter¬ 
prise’s inner network topology and its security vulnerabilities. 
Specifically, we think that the IP address is more important 
than TCP port since the IP address determines the host end 
while the TCP ports are for specific processes in a host. 
Formally, we give the following definition: 

Definition 1. (Privacy Preserving Firewall Problem) The 

Privacy preserving of a firewall f is the construction of a 
semantically equivalent secure firewall /' such that (1) for 
every packet p, the probability of the decisions on it by f' and 
f are different is negligible, (2) it should be computationally 
efficient to perform the filtering tasks with f', and (3) there 
should be no computationally efficient ways to get the whole 
original plain rules of f based on f' itself. 

It should be easy for us to give privacy preserving definitions 
for other network middleboxes similarly. 

I). Preliminaries 

Here, we first review the definition of cryptographic 
multilinear map , which is the cornerstone of our algorithms. 

Definition 2. (tv-multilinear Map 4771/ . 4271/ ) For k + 1 cyclic 
groups Gi,, G k , Gt of the same order p, a K-multilinear 
map e : G i x • • • x G K —> Gt has the following properties: 

(1) For elements g i £ Gi,...,g K £ G K , index i £ [k] and 
an integer a £ Z p , we have: 

^(,9 i: ■ • *> • gi,..., gf) oc • e(g \,..., gf) 

(2) The map e is non-degenerate, which means that if gi £ 
Gi (i = 1,..., k) is a generator of Gi, then e(g i, ...,g K ) is 
a generator of the target group Gr¬ 
in the above definition, if Gi (i = 1 ,..., n) are all identical 

groups, it is called a symmetric multilinear map. 

A cryptographic multilinear map has been a long sought 
after and powerful tool. Not until recently was it approximately 
constructed in the form of Graded Encoding System m, 
ED- In particular, we will design our algorithms based on 
the construction over integers, which is a more practical one 
devised by Coron, Lepoint, and Tibouchi iflOl . Now we briefly 
recall the definition of Graded Encoding System (GES) and 
its associated efficient procedures for manipulating encodings 
on which the description of our algorithms is based directly. 
Note that we only consider the symmetric case here. 

Definition 3. (k Graded Encoding System fTTj) A n-Graded 
Encoding System consists of a ring R and a system of sets 
S = {S^ £ {0,1}* : v £ N, a £ i?}, with the following 
properties: 

1. For every v £ N, the sets {S^ : a £ R} are disjoint. 

2. There is an associate binary operation ‘+ ’ and a self¬ 
inverse unary operation (on {0,1} ) such that for every 
ai : ct 2 £ R, every index i < n, and every ui £ S^ ai ^ and 
U 2 £ S^ a2 \ it holds that 

r- a( a i+“2) ^ o(~ al ) 

U 1 +U 2 & S> , -Ml £ £>> 
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where ol\ + Ui and —cti are addition and negation in R. 

3. There is an associate binary operation ‘x’ (on {0,1}*) 
such that for every a±, «2 £ R, every ii, with i\ + i r i < k, 

and every u\ £ sj ai ^ and U 2 £ S[° \ it holds that u\ x U 2 £ 

/ , 11 12 

S'i' 1+12 ■ Here a\ ■ 0.2 is multiplication in R, and i\ + *2 is 
integer addition. 

Definition 4. (Efficient Procedures for n-Graded Encoding 
System {773/, EB) For graded encoding system, we have the 
following efficient procedures: 

Instance Generationfparams, P z f) 4— InstGen( 1 A ,1 K ), 
where params is a description of a n-Graded Encoding 
System with security parameter X, and P z t is a zero-test 
parameter for level k. 

Ring Sampler: c 4— samp{params). This procedure out¬ 
puts a “level-zero encoding" c £ Sq for a nearly uniform 
element a £r R. 

Encoding: Ck 4— enc(params, fc, c). This procedure out¬ 
puts the “level-i encoding” Ck £ for a “level-zero 

encoding ” c £ Sq°\ 

Re-Randomization: c' 4— rcliaridfpararris, 1 , c). Proce¬ 
dure reRand can re-randomize encodings relative to the same 
level i. 

Addition and negation: u' 4— add(params, i, u,, u- 2 ) and 
u' 4— neg(jparams,i,uf). The two procedures are corre¬ 
sponding to operation '+’ and in the above definition. 

Multiplication: v! 4 — mul(params,i z ,u z ,i 2 ,u 2 ). This 

procedure is for operation ‘x’ in the above definition. 

? 

Zero Testing: isZero(params, P z t , u K ) = 0 / 1 . This proce¬ 
dure will check whether u K £ S^\ 

Extraction: sk 4— ext(params 1 P z t,u K ). This procedure 
extracts a “canonical” and “random” representation of ring 
elements from their level-K encoding. 

IV. SOFA: Framework and A Basic Scheme 

As a concrete example for secure network middlebox out¬ 
sourcing, we present SOFA in detail in this section. First, 
we will introduce our framework which is comprised of two 
phases, the obfuscating phase and the online execution phase. 
Then we give a naive scheme by directly applying the theoreti¬ 
cal conjunction obfuscation technique |9j- The discussion of its 
lack of feasibility will lead to our basic scheme, which is much 
more efficient in obfuscating the original firewall. And in the 
next section, we will further present another two approaches 
to boost our scheme’s efficiency in execution phase. 


Our framework SOFA consists of two phases. The first 
phase is the construction of an obfuscator for original firewall 
/. And this work is done by the control plane of SDN in 
the local enterprise. The second phase is the execution of the 
obfuscated firewall f'=0(f) in the cloud. And this task should 
be done by the control plane of cloud firewall provider. 

Obfuscation Phase: In the first phase, the controller of the 
enterprise SDN can set up the basic cryptographic parameters 
of the multilinear map. And then for each rule r in the 
firewall, such as these in Table |U the control plane generates 
a corresponding atomic rule “ciphertext” r'. Subsequently, 
the control plane can aggregate these atomic ciphertexts to 
be an integral secure firewall /'. And at last it sends /' and 
some necessary public parameters to the cloud provider. This 
obfuscation phase for firewall can be done offline and once 
for all. And if there are some updates for the firewall /, we 
can just reconstruct the related atomic rules, reassemble them 
and then replace the old ones in /'with them. But this process 
still should be done as efficiently as possible since one main 
purpose of outsourcing is to reduce costs for enterprises. 

Execution Phase: After receiving /', the cloud firewall 
provider performs the packet filtering task on the inbound 
and outbound traffics of the protected enterprise. For each 
packet, the high-performance devices in the cloud, under the 
supervision of its controller, securely checks its packet header 
according to /'. If the packet is found satisfying a rule r\ 
the cloud firewall devices will take the corresponding actions 
associated with this rule, such as permitting it, or denying it. 

The firewall obfuscation is implemented with cryptographic 
multilinear map. So in the following we model the firewall 
rule and traffic packet header in the bitwise level. For each 
rule, we present it in the format of R = (v, W, A), where 
v £ {0,1}" specifies the expected bit, 0 or 1, on non¬ 
wildcard bits, the set W C [n] specifies the “wildcard” bits, 
and A indicates the associated actions. Note that actually set 
W is often the subnet mask in firewall rules. For ease of 
presentation, we denote F[i] = 0 if i £ IT. For instance, 
the rule #1 in Table Q] “192.168.45.*”, can be presented as 
V = “1100000010101000...”, IT = (25,26,..., 32} and 
A = {deny}. In addition, A is the output decision on a packet, 
it leaks little information about the detailed enterprise network, 
so we do not consider protecting it in this paper. Please see 
section El for a detailed analysis of our schemes’ security. 
Similarly, for a tarffic packet’s TCP/IP header, we also present 
its related bits as a n-bit vector p £ {0,1}". 


A. Fundamental Framework 

A cryptographic obfuscator of a program can make a 
program perform the same functionality while the detailed 
underlying instructions are hidden El Combining the idea 
of program obfuscation and the Definition Q] we observe 
that the privacy preserving firewall problem can be solved by 
constructing a cryptographic obfuscator O for firewall / such 
that/=C9(/). The secrets are the underlying firewall rules, and 
they can be hidden in /'. Generally, this relationship between 
privacy preserving outsourcing requirement and cryptographic 
obfuscator construction can be extended to other middleboxes. 


B. A Naive Scheme 


A naive and intuitive idea is to directly apply the theoretical 
construction of conjunction obfuscator j9] in obfuscating the 
firewall rules. Here we give a concise description of this 
scheme. For each rule r in firewall f we present it as 
r = (v, W, A). Then for the /-th bit of it, we generate two pairs 
of level-1 encodings in the GES (We term them “encoding 
pairs unit”): 


(ui,o,Vi,o) £ 
(uip,Viy) £ (S f ’ 1 


Qpi,0 XQ^o 

, 

Qpi, lXay 
, D 1 


(1) 

( 2 ) 
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In Equation (Q]) and (Q}. p t s). a^.o, p-i,i , cti, 1 are all randomly 
and uniformly chosen if i (/_ W, but for i G W, they should 
also satisfy o^o = Qr*,i. In addition to two pairs for each bit, 
an encoding pair is also generated for a whole rule: 

(Un+l,U„+l) e [S 1 + ,S 1 ) (3) 

In the execution phase, for each obfuscated rule, we pick 
and multiply encodings from each pair according to p and get 
the following two (n+l)-level encodings: 

LHS = u n+ 1 x Vi^,RHS = v n+ i x ( 4 ) 

iG [n] iG [n] 

At last procedure isZero is performed to determine whether 
LHS (Left-hand side) and RHS (Right-hand side) are equal 
to judge whether packet p satisfies this rule and which actions 
to take. 

Actually, the scheme we briefly presented above is the 
simplified symmetric counterpart for the original asymmet¬ 
ric construction in GO, and the asymmetry is vital in its 
theoretical security proof to defend the DDH attack which 
may leak the wildcard locations. It is much harder and 
inefficient to construct such an asymmetric multilinear map. 
More importantly, as we all know, the wildcard part in a IP 
address is for indicating the subnet range, and these bits are 
always continuous in the later part. Nothing additional useful 
information about specific subnets or hosts, except for the the 
size of an unknown subnet, can be discovered without v. So 
leaking this subnet mask rather than the specific prefixes ( v 
) is acceptable in most firewall scenarios. Thus in this paper, 
we do not attempt to perfectly defend such DDH attack and 
herein we use symmetric multilinear map in all our schemes 
and leave such protection as future work. But we point out 
that following schemes are also fit for asymmetric one. 

Discussion. Now we argue that this naive scheme will have 
serious issues in practical application. 

(1) Its time and space consumption in the obfuscating phase 
will be too large. If we have l rules in a firewall, then 
the obfuscation will take Q(ln + l) times encoding and re¬ 
randomization, and need store Q(ln + l) encoding ciphertexts. 
In addition, when n is large, the singe procedures will take 
more time and the storage will also be larger. So such privacy 
preserving scheme will be impractical due to the computation 
and storage cost in obfuscating phase is hardly acceptable. 

(2) When n is large, it also will be much harder to construct 
the GES due to the noise limit. Thus to make the 2 (n + 1) 
multiplication operations and isZero viable, the underlying 
GES parameters have to be set large enough. Consequently 
the real-time execution in cloud will be too inefficient to have 
any practical usability if we adopt the naive scheme directly. 

Therefore we have to make up for these limitations to make 
it more practical. 

C. Our Basic Scheme 

Here, we first give a basic scheme by compressing the 
encodings to address the issue (1) discussed above. The com¬ 
putation and space complexity will be reduced from Q(ln + l) 
to 0(?i + l) encodings. This scheme is not as secure as the 


Algorithm 1 Basic Scheme For Obfuscating Firewall 

Input: A original plain firewall / with rule sets {r}. 

Output: A obfuscated firewall /' with the same functionality. 

( params , P zt ) 4— InstGen( 1 A , l ra+1 ). 
for * G {1,..., M + N} do 

C Pi 0 4— samp(-), Cp .,1 samp(-). 

if i < M then 

C ai0 = C ai l 4— samp(-). 

else 

C ai0 4— samp(-), C ai l 4— samp(-). 

end if 

Cp 4— enc {•, 1, C Pi 0 ), Ui t o 4— reRand (•, 1, Cp). 

Cry 4— enc {•, 1, C Pi a x C ai0 ), i^o •*— reRand (•, 1,C 7 ). 
Cs 4— enc {•, 1, C Pi l ), Ui,± 4— reRand( 1, Cs). 

C e 4— enc(-, 1, C Pi l x C ai l ), 4— reRand {•, 1, C e ). 

C[i\ = {(u»,o,«*,o),(«i,i,w»,i)}- 

end for 

C=a(C). 

E = {a(l),...,a(M)}, 

UE = {<t(M + 1),..., <t(M + N)}. 
for r = ( v , W,A)&f do 

for i G {1,..., n} do 

if i G W then 

P r [i] £ E. 

else 

P r [i] £ UE. 

end if 
end for 

Pi,n +1 samp(-), 

Cg 4— enc (•, 1, C Pi n+1 ), u„+i 4— reRand (•, 1, Ce). 

Cp 4— enc {•, 1, C Pi , n+1 x n ie[n] C[P r [i]].C aii<f[1] ), 
v n+ i 4— reRand (•, 1, Cp). 
r — (Pr : ttn+l i . 

end for 

return /= ({C\i]} ie[M+N] , {r'},P zt ,pararris'). 


naive one, but the amount of leaked information is limited and 
acceptable ( please see section [VI] for details). 

In the naive scheme, the encoding pairs (ii-ip, t’i.o) and 
i, u, i) for every rule are dependent on W while the pair 
(u„+i, w n +i) is dependent on v. Now we give our basic 
scheme, in which the encoding pairs for each bit every rule 
are extracted and shared. 

The obfuscating steps are summarized as Algorithm qE 
utilizing primitive procedures in GES. We first get M + N 
encoding pairs units, of which the first M units have equal 
random ratios in two encoding pairs while in the last N units 
such ratios are different. Then we permute (er) these encoding 
pairs units to shuffle them, and then collect two indexes sets: 

E={a(l),a(2),...,a(M)}, (5) 

UE = {a(M + 1), cr(M + 2),..., cr(M + N)}. (6) 

^or conciseness, we denote the parameter params as “ ■ ” in every 
primitive procedure in all our following algorithms. In addition, The C we 
outsource do not contains Co- , but in the obfuscating phase, we use 
C[P r [i]]-C 0 c i to denote the access for presentation convenience. 
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Algorithm 2 Execution with Outsourced Firewall /' 

Input: A packet p= {0,1}", and obfuscated firewall /'. 
Output: Decisions on p. 

for r' = (P r ,u„ + i,v n +i,A) G f do 
LHS = M n +i x n ieW 
RHS = IVj+1 X Hie[n] C[-Pr[*]]-Wi,p[i]- 
if isZero{params' , P z t,LHS — RHS) then 
return A and exit, 
else 

Continue checking p with the next rule. 

end if 
end for 


Set E collects the indexes of encoding pairs units with a:,; o = 
while set UE collects those with a^o ^ &i, l- 

To obfuscate a rule r = (v. W. A), we attach an encoding 

pairs unit indexes array p r to r' such that if i G W, then p r [i\ 

Ft 

is randomly sampled without replacement (■«/-) from set E, 
otherwise it is randomly sampled without replacement from 
set UE. Thus p r specifies the n encoding pairs units for 
rule r. Then {u n +\, for this rule is calculated according 

to Equation (0 by choosing encoding pairs in C[P r [z]] with 

v. At last, public parameters params ' of GES and zero-test 
parameter P zt are also included in the obfuscated firewall 
/'. We emphasize that we should sample randomly without 
replacement rather than directly sampling with replacement. 
This trick is used to eliminate the possibility of false positive 
which may happen when two non-wildcard bits with different 
values chose the same encoding pair unit. 

In the second phase, the execution of outsourced firewall 
/' is straightforward. The basic steps are summarized in 
Algorithm |2] For an input packet p, we check whether it 
satisfies an underlying rule in f' sequentially. Note that for 
each obfuscated rule r', the multiplications are also performed 
on encodings chose from encoding pairs units C specified by 
p and P r . 

Our scheme’s correctness can be verified easily. In Algo¬ 
rithm Q] only two encodings are generated to a specific rule. 
The overheads of P r generation is negligible compared to 
encoding and re-randomization, thus it is easy to figure out 
the complexity of Algorithm Q] is 0(n + /). Thus the basic 
scheme is efficient in the obfuscation phase. The efficiency in 
execution phase is not bad, but needs further improvement. 

V. Online Efficiency Improvement 

In this section, we try to improve the efficiency and us¬ 
ability of our scheme in the online execution phase. As we 
have discussed previously, the online efficiency is vital for 
middlebox outsourcing scheme. The two enhanced schemes 
we propose here can reduce its complexity from 0(?r) to 0(/c) 
or 0(n/fc) on faster encodings’ multiplication operations. The 
cost is 0(1) increasement in encoding and re-randomization 
in the first phase. 

The main guideline for our improvement is to reduce over¬ 
heads of single multiplication and the times of multiplication. 
To this end, in both of the following approaches, we partition 


Algorithm 3 Firewall Obfuscation (Blocking Approach) 

Input: A original plain firewall / with rule sets {r}. 

Output: A obfuscated firewall /' with the same functionality. 
Generate parameters: 

{params, P zt ) G- InstGen{ 1 A , l fc+1 ). 
for r= {{Fi} im ,A) Gf do 
for i G {1,... , k} do 
C m G- samp(-). 
for j G R do 
C Pj <- samp{■) 
if j G Si then 
C aj =C m . 
else 

C aj G- samp{-). 

end if 

Cry g- enc(-, 1 , Cpj), C$ G- enc{-, 1 , Cp j x C aj ), 
u i,j G- reRand{-, 1, C 7 ), Vij G- reRand{ ■, 1, Cg). 

end for 
end for 

C Pk+ 1 G- samp(-). 

C e G- enc {•, 1, C Pk+1 ), 

Uk+ i G- reRand{-, 1, C e ), 

Cg g- enc{-, 1, C Pk+1 x [fc] 

Vk+i G- reRand {•, 1 ,Cg). 

r ' ~ * * * * v i,j)} i& [k]J&I^ U k+G v k+l,A). 

end for 

return f'= ({r'},P zt ,params’). 


an original bit-wise rule into several parts. In the blocking 
approach, we then construct an encoding pair for an element in 
each part rather than for each rule bit, and thus we can check a 
packet in block level rather bit level. In the divide-and-conquer 
approach, we then test if a packet satisfies the rule in each part 
separately and sequentially with less encoding levels. 

A. Blocking Scheme 

We find that if we view a firewall rule in a higher level rather 
than the primitive bit level, there will be fewer occurrences of 
multiplication needed in online phase. If the block is small 
enough, the single multiplication will also take less time. To 
this end, we take another approach of firewall obfuscation by 
constructing in block level rather than bitwise level. The basic 
steps in the first phase are described as algorithm [3] 

Note that for brevity and highlighting the key idea, this 
algorithm is described based on the naive scheme. The en¬ 
coding pairs compression idea in basic scheme can be easily 
integrated in algorithm [3] We omit this integration here. 

Specifically, in the first phase, for a firewall rule, we split 
it into k fields, each with a small integer range. Take the 
second rule in table Q] as an example, we can split its IP 
source address header into four fields, each with the same 
domain /i, 2 , 3,4 = [0, 255] (Just as its dotted decimal notation). 
In each field, the rule specifies a target filter set, such as 
Fi = 192, F ‘2 = 168, J *3 = 45 and F 4 = [0, 255] for the above 
example. Another advantage of this approach is that it enables 
us to process some rare extended ACLs with port range. For 








7 


example, for the destination port range in the rule #3 in table 
U we can directly set the corresponding target filter set as 
[22,88], So now a rule can be presented as r = , A). 

After this partition, for each field i within the domain we 
“encrypt” each element in it with a level-1 encoding pair. The 
key point is that, for all elements that are in the filter set F. j: , 
the underlying ratios of the two encodings in their encoding 
pairs are all equal to a constant number which is specified 
for each field in this obfuscation. Finally, just similar to basic 
scheme, these ratios in each field are aggregated in a product 
of them, which is also hidden as a ratio in another level-1 
encoding pair (u k + i,Vk+i): 

(u k +i,v k +i) € (7) 

Then, in the second phase, as a consequence of the sim¬ 
plification in the first phase, the burden of the cloud firewall 
provider will be greatly relieved. For a packet p, cloud firewall 
provider also splits its packet header into k blocks, which 
means that we can present it in the format of an integer 
tuple {pi, ■. ■ ,Pk)- Then an encodings pair in each field is 
chosen according to the integer tuple value followed by the 
computation of two level-(fc + 1) encodings ,LHS and ////.S', 
by multiplying them. At last the equality of LHS and RHS 
is tested and thus a decision upon this packet can be made. 
The modification of algorithm 2 to coordinate with algorithm 
3 is easy, so we leave out the details here. 

B. Divide-and-Conquer Scheme 

To reduce overheads of a single multiplication, we can 
decrease the maximum levels in GES. So another strategy we 
can take is divide-and-conquer. We divide the whole bit-string 
rule (v, W. A) into k parts: (v, W, A) = {{vi,Wi}i<i< k , A). 
And in each part, we construct a obfuscated r[ in the same way 
as algorithm 1. Thus the corresponding obfuscated firewall will 
be f = params'). Similarly, in 

the second phase, we also partition the packet in the same 
way, and get p = (pi)i<i<k- Then we can check whether p 
matches the underlying r by checking pi with r[ in each part 
sequentially with algorithm 2. 

This approach is simple, but effective, as will be demon¬ 
strated in our experiments. It is not hard to modify the basic 
scheme in this approach, so we omit the details here. 

VI. PRIVACY ANALYSIS 

In this section, we will take a close look at the security of 
the privacy preserving schemes we proposed. 

1) Analysis of the basic scheme: In 13, the authors have 
proved the naive scheme is secure when the inputting function 
is drawn from a distribution with a high superlogarithmic en¬ 
tropy given the GXDH assumption and the GCAN assumption 
13 are true or in the generic model where the adversary is only 
allowed to manipulate encodings via oracle access. 

When parameters M and N are large enough, our basic 
scheme achieves the same security as the naive scheme and 
the security proof is roughly the same as proofs provided in 
ED- Due to both completeness considerations and the page 
limit, below we present the proof sketch for the high entropy 


input distribution case only and neglect the proof in the generic 
model. 


Theorem 1. When M and N are large enough so that all P r [i\ 
are different, Algorithms 1 and 2 are secure when ( v, W) is 
drawn from a distribution where the entropy of v given W is 
superlogrithmic given the GXDH assumption and the GCAN 
assumption are true. 


Proof: Same as S3, by claiming Algorithm 1 and 2 are 
secure we mean that, for each rule r, anything that the cloud 
firewall provider or the adversary learns from the execution of 
the two algorithms can be learned from a blackbox firewall by 
constructing a simulator S that simulates the adversary’s view 
from algorithms 1 and 2 given only the access of a blackbox 
firewall. 

In particular, the adversary’s view is the obfuscated firewall 
output by Algorithm 1 :({C[i]} ie[M+N] , {r'}, P zt ,params'). 
S simulates {C'[i]} ig j M+ j V ] with i(M + N) uniformly random 
level-1 encodings: ({< i0 , u' iA , v' iA } ie [ M+ N])- S first runs 
InstGen and get a random P zt and random public parameters 
params". For each r', S can simulate P r with n different ran¬ 
dom samplings in [M + /V] , simulate (it n+ i, t; n +i) with two 
uniformly random level-1 encodings: (u' n+1 , <+i). simulates 
A with A itself, and simulates P zt and params' with P' zt and 
params". Due to the GCAN assumption and the entropy of v 
given W is superlogrithmic, we know u n +i,v n +i is indistin¬ 
guishable from uniform thus is independent with any pair in 
{C[i]}. In addition, due to the GXDH assumption, we know 
each C[i] is indistinguishable from {u[ 0 , v[ 0 , u\ 1; v\ j), and 
(u n +i,v n +i) is indistinguishable from {u' n+1 , v' n+l ). Thus we 
know S simulates the algorithm l’s output for ((v. W )) input. 
For algorithm 2’s output, the S can simply use the access of 
the blackbox firewall to get it. ■ 

When M and N are not large enough. Algorithm 1 reveal 
partial information about the rules. The leakage could happen 
when for different rules r\ and 7 - 2 , there exist i, j £ {1,..., n } 
such that P ri [*] = P r2 [j]. In this case, the adversary would 
notice similar “wildcard or not” information between two bit 
locations in two rules. We can figure out that the probability 

( M \ /AT-IWih ( N \ (N- mi \ 

for such leakage is 1 - ( 'Tm w'aH ) ' ( 7" ) 


1 ^ 1 / \ | Wo | / 

])!\ _ ( (jV-mi)!-(A/-m 2 )h 
)! / V iV!-(iV-mi-m2)! 


m 2 7 

in which the 


1 _ / (M-I^DKAf-IWal) 

V |VKi| —|IV 2 |)! 

Wu W 2 is the wildcard bits set in r\ and W 2 each, and ml = 

n— \ Wi\,m2 = n — \W 2 1. So if such leak is unacceptable, we 
may increase the value of M and N in practice. 

2 ) Analysis of the Blocking Scheme: The main difference 
between the basic and blocking scheme is that Algorithm 3 
“encrypt”s each integer in each field rather than “0” or “1” 
on each bit. For similar reasons as Algorithm 1, we also give 
a proof sketch for Algorithm 3’s security in the case of high 
entropy inputs and leave out the detailed proofs. Note that 
Algorithm 3 itself achieves the same security as the naive 
scheme’s security. So when integrated with basic scheme, the 
blocking scheme is as secure as Algorithm 1. 


Theorem 2. Algorithm 3 is secure when (v, W ) is drawn 
from a distribution where the entropy of v given W is 
superlogrithmic given the GXDH assumption and the GCAN 
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B. Primitive Cryptographic Overheads 
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Fig. 1: Computation overheads of primitive procedures in GES 


assumption are true. 

Proof: The proof goes similarly as the Proof of 
Theorem [Q The only difference here is S simulates 
algorithm 3’s output ({(uij,Vij)} ie[k]JeIi ,u k +i,v k +i) 
with 2 T,i\Ii\ + 2 uniformly random level-0 encodings: 

v i,i}ie[n}jeiv u 'k+\iv'k+i)- Due t0 the GXDH assump¬ 
tion, we know for each i G [n], {< uf ,-, v\ 7 is 

still indistinguishable with {< Uij, Vij >}jeU- Due to the 
GCAN assumption and the entropy assumption, we know 
each {< >}j£ii and (wfc+i,ffc+i) are independent 

with each other, and ( Uk+i,Vk+i ) is indistinguishable with 
[u' k+1 ,v' k+1 ). Therefore, S simulates algorithm l’s output for 
((v, W)) input. ■ 

3) Analysis of the Divide-and-Conquer Scheme: The 
divide-and-conquer scheme break the matching of one rule 
into several k parts. It is easy to see it has the same amount 
of security except it reveals the matching results of all parts 
in addition. 


VII. Experiments 

To evaluate the feasibility and performance of SOFA, we 
implement our algorithms in C++, and carry out experiments 
on real-world firewall rules. The cryptographic multilinear map 
we employ is the one constructed over integers GO), (221. 

A. Experiment Setup 

Our experiments are conducted on a PC running Linux with 
2.90 GHz Inter(R) Core(TM) i7 CPU and 8 GB RAM. And 
we use 50 standard real-world firewall rules to evaluate the 
scalability of our algorithms. Note that our blocking scheme 
can also deal with the extended rules with minor modification. 
To leave out unnecessary details, these rules are preprocessed 
such that only the fields in the IP/TCP header are included in 
r. In reality, many firewall rules belong to this type. 

The generation of an instance of a practical multilinear map 
involves the configuration of many parameters ifTOl . And the 
configuration will affect its performance and usability, which 
is related to the control of the “noise”. So it should be tuned 
with specific application. Thus we do not present the tedious 
detailed parameters of our experiments here. Instead our 
settings ensure the “noise” in our experiments is under control 
such that no correctness will be sacrificed for efficiency. 


The procedures of GES that we have defined are the basic 
steps in our algorithms, so we first measure the efficiency 
of these primitive cryptographic operations. We set the mul¬ 
tilinearity level k= 5, 9 and 33, which are the parameters 
for obfuscating a standard rule each for the basic scheme, 
the divide-and-conquer scheme and the one with blocking 
approach. The results are shown in figure [Q 

We can observe from the results that the ring sampler 
takes only less than 1 millisecond. The encoding and re¬ 
randomization procedure are always performed together, so we 
measure them together, and we can observe that the multilin¬ 
earity level affects its running time greatly. The multiplication 
procedure is the major operation in the second phase, and it 
can be seen that its efficiency is also strongly affected by 
the multilinearity level, which determines the specific system 
parameters. We can also see that the zero testing procedure is 
relatively lightweight in computation overheads. 


C. Performance in Obfuscation Phase 

The first phase, the obfuscation of original firewall rules, 
is performed locally by the enterprise SDN controller. We 
first measure the impact of the bit numbers n (note that the 
corresponding multilinearity level in GES is n + 1) on the 
performance of naive scheme (Figl2al). The time overheads of 
procedure Instance Generation and the obfuscating time of a 
single standard rule are measured separately. From Fig|2a] we 
can see that both of them grow linearly with respect to the bit 
size. Specifically, when n = 32 ( which we need when naive 
scheme is adopted to protect the standard rules), the first takes 
about 0.8 seconds, while the obfuscating for a rule takes about 
4.1 seconds. This shows the inefficiency of naive scheme. 

And we also measure the scalability of the schemes we 
proposed (Figl2bl Fig|2cl Fig ]2dl ) and the effect of basic 
scheme on other approaches. The results show that by the 
encodings compression of our basic scheme, the obfuscation 
of original rules can be greatly accelerated. This is in line 
with our theoretical analysis. These results also show that our 
framework is elastic with different number of rules. 


D. Performance in Execution Phase 

The performance in the second phase, the real-time execu¬ 
tion of the obfuscated firewalls in the cloud, is more crucial. 
We measure our solution’s performance in this phase with 
different number of rules, the result is shown in Fig[3] From 
the result we can see that the blocking scheme is much more 
efficient. Actually, we find that the running time to check 
a packet with them is separately 300, 100, 6 milliseconds. 
Considering that our experiments are performed on a ordinary 
PC and no modem firewall process acceleration techniques 
(such as FDD) are adopted, our schemes, especially blocking 
scheme, are practical. And in practice, when adopted in cloud 
processing, many parallelism and acceleration means can be 
taken to make our scheme faster. 
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(a) Naive Scheme with Various Bits (b) Naive and Basic scheme 



(c) Divide-and-Conquer Scheme (d) Blocking Scheme 

Fig. 2: Time Performance in the First Phase 



Fig. 3: Time Performance in the Second Phase 

VIII. Conclusion 

In this paper, we propose solutions to make it secure for an 
enterprise to outsource firewalls. The security of our schemes 
have solid theoretical foundation. And the experiment results 
show that our schemes are also practical to use. 

There are more other network functionalities, such as IDS, 
IPS, that can be outsourced, and their privacy issues must be 
considered too when outsourcing. We think the framework we 
propose also works for them because many of them are also 
based on packet header filtering. But since their configurations 
are different from firewalls, so the specific solutions to them 
will also vary. We leave this as our future work. 
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